Friday 22 March 2019

Information Security 101 - A talk on PixelsCamp V3.0


Link to the Powerpoint file: 


Dearly beloved, we are gathered here today to discuss Information Security.

Join me around the campfire and let’s start…




Mandatory "who's this guy and what's all of this about" slides.
I decided to make the presentation available to the audience beforehand to allow every participant to follow the presentation at his own pace.

Also, please note the LEGAL DISCLAIMER as I was expressing my own opinions and not the ones of my employer.






Heard in 2002: “If you’re not paying for it, you’re the product” but what does it mean?

Link to Wall Street Journal article: 
https://www.wsj.com/graphics/how-pizza-night-can-cost-more-in-data-than-dollars/


It all starts it a text message “Wanna come for pizza and a movie?”


Consider the Data provided vs. Data collected.
Just some highlights:
  



So… what can we do about it?...

Let’s take a step back….
"Passwords are like underwear: change them often and don’t show them in public."

I have a friend that ends up losing a credit card every 3 months or less J
The downside: she has to send new credit card data for every new actions, for every product ordered, for Netflix, for Android Pay, for Parking payments.
The upside: she gets a new card every 3 months which reduces the chances of exploit

But... does this make any sense?!
It’s pretty much the same we’re asking:
"Change often, has to be complex, 12 chars, 4 symbols, a drop of blood from your firstborn child and a tear of a unicorn."
And then we blame the user when things go wrong!




And if we’re really smart, really into these SECURITY stuff, we all know we should use 2 factor authentication.

Because SAFETY!!! Yes, at its all about safety, that will keep us safe, right?



Well, no, not really…
We have been nagging users about password for the last 20 years…
But it’s never the user password to be blamed for any significant data security breaches.





We must solve this:
The consequence is personal data abuse and society being controlled by The Others (Brexit, Trump, Bolsonaro)





Lets talk about management systems



Everyone can bake a cake at home
We can handle interruptions. We can handle supply issues. Most of the time it’s a one off. We are the client, no need to meet needs or expectations.


Very small IT footprint, maybe a computer running ERP / CRM / Excel / minimal website.
You now have procedures to handle raw materials when they arrive, laws to abide, periodic maintenance on machines, financial goals. 
You’re working with a context, with shareholders, suppliers, clients, employees, neighbour, authorities…
You have to meet the needs and expectations of interested parties if you want to survive.
So we make plans.


Suddenly…

Your supplier changes, Your target clientele changes, Your raw materials are no longer available, You have to abide to different regulations, You want to move into a different market, Your country foolishly decides to leave the EU, Your employees die, You die.
Allow me to introduce you to some nice friends…


Deming and a lovely lady.
The PDCA/CI cycle.


Management systems: Not the hero we call for, but the hero we need.
That means, defining processes, monitoring, keeping tabs on what went wrong and what went right.
But its pays off every time.
Risk is positive and negative that can and will happen.
Is all about figuring out what can change, its impact and whether we wish to mitigate or reap the benefits.


The future, as we can see it
Robotized Cake Factory, very few people.


Confidentiality, Integrity, Availability

Access (physical/ user access management)
Operations (backup pentest, scan, logs)
Network protection 
Secure software development (lifecycle) (plug the holes NIST OWASP framework libraries)


Well, no, not really.

We’ll look into a real world scenario… but first…

The ability to wing it, sometimes referred as one of the greatest Portuguese assets only provides a short term, sub-standard solution. 
It will kill you in the long run.




Up until now, fines limited to 500k
Data breaches before and after GDPR
GDPR comes with a very loooong enforcing stick. Giving people’s rights even before they realise they have them.
Huge impact on data subjects rights. Humongous!



If you lose a dead hard disk stored in a drawer for the last 3 years, that’s a data breach
If tapes go up in flames, that’s a data breach.
You have to determine a justifiable data retention policy. And then abide by it.
When the user asks for the data back you must provide it. If you lost it (and didn’t report), you’re in trouble.
If you decide on a loan, your client has the right to know your profiling algorithms.
Scope: An American company creating a user account for a Japanese guy is within the scope of GDPR (because he’s in Slovenia)
Data minimisation. Collect only the information you need. GDPR killed the big data star.
Privacy by design. Look at your software development lifecycle and include GDPR compliancy on the earliest of stages. 
When things go wrong you’re in trouble. YOU MUST ABIDE BY THESE RULES!
I’m just the messenger. You don’t have to agree we me. You can even say it’s just #ProjectFear…
But in the end, “Talk to the hand, because the judge is not listening.”


January 2019

"You can not say Information Security and Android in the same sentence with a straight face."
Who agrees with this? … It’s OK if you don’t agree with me.


The real world example with an iOS app:
Can you spot "Informed consent" on this picture?


Let’s look at the same app, developed in Xamarin, a cross platform environment...

HOUSE RULE: If you have the latest version you can shut up now and the reason is twofold: You’re still irrelevant (belong to the 3%) and that didn’t addressed the root cause.

This was a company very conscious on data privacy, they handle personal identifiable information and personal health information and have been managing for the last decades and have a quite impressive system.

What went wrong?
Requesting consent while installing, not when required.
Either you accept all of these or you don’t use the app.
Even Microsoft Office apps on Android ask for access to your phone call log, SMS content, information on machines on your corporate network. And these are high profile apps. What about low-grade, dodgy looking junk apps. Everyone’s guess.
Access to data without even hacking is the Android de facto standard.
Low visibility on what it really means
Low granularity. Fixed on the latest version? Yeah right…
Average age of operating system version is… 3.5 years and that includes 80% of devices.
By 2022 you’ll still have +30% of devices built upon a GDPR non-complaint philoshopy.

Explanation on “CONSENT” was buried on the Terms & Conditions….


.... on the Terms & Conditions….


.... on the Terms & Conditions….


.... on the Terms & Conditions….


We must fix this...
… "with a great power comes a great responsibility."